TLDR: VPN-newbie wants to learn how to set up and use VPN.
What I have:
Currently, many of my selfhosted services are publicly available via my domain name. I am aware that it is safer to keep things closed, and use VPN to access – but I don’t know how that works.
- domain name mapped via Cloudflare > static WAN IP > ISP modem > Ubiquity USG3 gateway > Linux server and Raspberry Pi.
- 80,443 fowarded to Nginx Proxy Manager; everything else closed.
- Linux server running Docker and several containers: NPM, Portainer, Paperless, Gitea, Mattermost, Immich, etc.
- Raspberry Pi running Pi-hole as DNS server for LAN clients.
- Synology NAS as network storage.
What I want:
- access services from WAN via Android phone.
- access services from WAN via laptop.
- maybe still keep some things public?
- noob-friendly solution: needs to be easy to “grok” and easy to maintain when services change.
You must log in or # to comment.
I chose wireguard implemented by pivpn (i like pi’s)
Wireguard app on phone and a quick duckduck will find you a script or app for your laptop. Connected to your home in seconds.
PiVPN is elegant. Easy install, and I am impressed with the ascii QR code it generates.
But I could not make it work. I am guessing that my Android setup is faulty, orrrr maybe something with the Pi? This is incredibly difficult to troubleshoot.
What didn’t work?
As a side note i had to portforward in my router to make this work.
Obviously :) and make sure to forward to the correct LAN IP address, and make sure that machine has a static IP (or DHCP reservation).
deleted by creator
I used Zerotier before and I still use it now. It is also the solution I am now going to continue with.
I wanted to try Wireguard to get away from a centrally managed solution, but if I can’t get it working after several hours, and Zerotier took five minutes - the winner is clear.
Tailscale can meet each of your bullet points.
Don’t bother with VPN just use Tailscale, and install the client on your other devices (they have clients for every OS).
This creates an encrypted virtual network between your devices. It can even enable access to hardware, like printers (or anything with an IP address) by enabling Subnet Routing.
To provide access to specific resources for other people, you can use the Funnel feature, which provides an entrance into your Tailscale Network for the specified resources, fully encrypted, from anywhere. No Tailscale client required.
And if you have friends who use Tailscale, using the Serve option, you can invite them to connect to your Tailscale network (again, for specified resources) from their Tailscale network.
deleted by creator
Personally I would have gone for OpenVPN access server on Debian. Fairly simple and well documented for those starting out.
I have used and worked with OpenVPN connect on android, PC and Mac.
PiVPN offers both services, Wireguard and OpenVPN.
What app do you use on Android? And on Windows?
OpenVPN connect on both. I load the .ovpn-file that is exported from the server and that’s it.
Not expert, but basically you should port forward wireguard port 51820 to your server, install wireguard server, create client(s) and load QR code (or config) on android/laptop and you are set. Pi hole DNS and everything else should work just like when you are on home wifi.
You can leave your CF for public access, but do you really need PF 80 and 443 if you are using CF tunnels? (I thought you dont, but I never used CF. Feels like its more safe to hve CF tunnels if you dont need to PF, but you have a middle man you have to trust)
Thank you for providing specific steps that I can take! I will look into this.
No I do not use cloudflare tunnels, just regular cloudflare to publish my services to the whole world - which is a concern of course.
Going with a connection from my device via wireguard sounds like just the right thing to do.
You would want to setup a VPN server on your linux server and vpn clients on android and laptop. I’m not knowledgeable enough to help, but you can look into wireguard
